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Abstract: The cryptographic hash function SHA-256 is 
one member of the SHA-2 hash family, which was 
proposed in 2000 and was standardized by NIST in 
2002 as a successor of SHA-1. Although the differential 
fault attack on SHA- 1 compression function has been 
proposed, it seems hard to be directly adapted to 
SHA-256. In this paper, an efficient algebraic fault 
attack on SHA-256 compression function is proposed 
under the word-oriented random fault model. During 
the attack, an automatic tool STP is exploited, which 
constructs binary expressions for the word-based 
operations in SHA-256 compression function and then 
invokes a SAT solver to solve the equations. The 
simulation of the new attack needs about 65 fault 
injections to recover the chaining value and the input 
message block with about 200 seconds on average. 
Moreover, based on the attack on SHA-256 
compression function, an almost universal forgery 
attack on HMAC-SHA-256 is presented. Our algebraic 
fault analysis is generic, automatic and can be applied 
to other ARX-based primitives. 

Keywords: Algebraic Fault Analysis, HMAC, SHA-256 
Compression Function, SAT solver, STP. 

I. INTRODUCTION 

As seen in the last decade, the cryptographic 
community begins to investigate the security of the 
hardware implementation of a cryptographic algorithm. 
As a common way of Side Channel Attack (SCA), 
Differential Fault Analysis (DFA) induces faults into 
the calculation of the hardware device and takes the 
faulty output values as side-channel. Then the relations 
between the correct and faulty outputs are exploited to 
extract secret information within the device of the target 
cryptographic algorithm. 

The concept of fault attacks was first introduced by 
Boneh, Demillo and Lipton in 1996 [6, 7]. Then Biham 
and Shamir proposed the DFA attack in 1997, which 
processes the right and faulty outputs with differential 



cryptanalysis [8]. After that, DFA has been successfully 
applied to many block ciphers and stream ciphers, such 
as AES [12, 33, 34], SHACAL1 [11], LED [35, 36], 
Piccolo [37], PRINCE [24], Trivium [9, 23], RC4 [13, 
14]. Besides attacks against block and stream ciphers, 
the DFA attack on the compression function of a hash 
function has also been studied. At FDTC 201 1, Hemme 
L. et al. proposed a DFA attack on SHA-1 compression 
function under the word-oriented random fault model 
[5]. Its basic principle is to construct single-variable 
equations by exploiting the differences between the 
correct output and faulty outputs to retrieve the internal 
state and the input message block. Based on this attack, 
similar DFA attacks on the HAS-160 and MD5 
compression functions have also been discussed in [21, 
22]. At FDTC 2012, Fischer et al. presented a DFA 
attack on Grostl-256 [39], whose structure is similar to 
AES. 

Instead of combining fault attack with differential 
cryptanalysis, Courtois et al. proposed an algebraic 
fault analysis (AFA) on DES in eSmart 2010 [10], 
which combines fault attack with algebraic techniques 
[32]. The AFA attack first constructs algebraic 
equations for the cipher and the faults, and then invokes 
the automatic tools to solve the equations and recover 
the secret information of the cipher. An important 
advantage of AFA over DFA is that AFA does not rely 
on the manual analysis of differential propagations. By 
applying AFA, the previous DFA attacks on block and 
stream ciphers have been improved, such as AES [30], 
LED [26, 31], Piccolo [4], Trivium [29]. 

The SHA-2 hash family was proposed as a successor 
of SHA-1 in 2000 and was standardized by NIST in 
2002. SHA-256 is a member of the SHA-2 family 
which outputs a 256-bit digest. There are few 
researches on SHA-256 against fault attacks. In [38], 
Jeong et al. recovered the secret key of 
HMAC/NMAC-SHA-2 by reducing the number of 
steps of SHA-2 compression function via fault 
injections during the calculation of HMAC/NMAC [1]. 
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Their fault model assumes that the adversary could 
exactly modify the number of steps of the target 
compression function and therefore is very restrictive. 
In this paper the security of SHA-256 compression 
function against fault attacks is investigated under a 
more relaxed and realistic fault model, i.e., the 
32-bit-word-oriented random fault model. 

Although SHA-256 shares the similar design 
principles of SHA-1, the concrete structure of SHA-256 
prevents the attack in [5] from being directly applied to 
SHA-256 compression function under the 
word-oriented random fault model. However, SHA-256 
compression function is found to be vulnerable to AFA, 
and thus an AFA attack is proposed against it in this 
paper. During the attack, the automatic toolkit STP [25] 
is applied, which can be used to construct binary 
expressions for every simple operation, i.e., addition, 
Boolean function, rotation and XOR in the compression 
function, and then to invoke a SAT solver to solve the 
algebraic equations. By injecting about 65 faults, the 
secret inputs of SHA-256 compression function could 
be revealed with about 200 seconds on average. Based 
on this attack, an almost universal forgery attack on 
HMAC-SHA-256 is proposed. Our attack is generic and 
can be easily extended to evaluate the security 
properties of other ARX-based primitives against AFA. 

The rest of this paper is organized as follows. 
Section II briefly describes the SHA-256 hash function 
and the HMAC algorithm. The reason why the DFA 
attack in [5] cannot be applied to SHA-256 
compression function is also discussed in Section II. 
Section III proposes an AFA attack on SHA-256 
compression function using STP [25] under the 
word-oriented random fault model. Section IV presents 
an almost universal forgery attack on HAMC-SHA-256 
based on the AFA attack on SHA-256 compression 
function. Section V briefly discusses how the concrete 
structure of SHA-256 affects AFA and the potential 
application of AFA to improve DFA on SHA-1 
compression function. Finally the last section concludes 
the paper. 

II. PRELIMINARIES 

A. SHA-256 hash function 

The SHA-2 hash family consists of four hash 
functions with digests of length 224, 256, 384 and 512 
bits, i.e., SHA-224, SHA-256, SHA-384 and SHA-512. 
In the following, a brief description of the SHA-256 
algorithm is given. For more details, please refer to [2]. 
First, the original message M is padded to be a multiple 
of 512 bits according to Merkle-Damgard 
strengthening, i.e., a single bit "1", a variable number of 
0s, and the 64-bit binary representation of the length of 
M are appended at the end. Then the padded message is 
parsed into 512-bit message blocksM 0 , M l , ■•• , M L _ t . 
The hash value is computed as follows: 
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H 0 = IV,H l+1 = CF(Mi.Hi), 0 < I < L 

where Hi is a 256-bit chaining value which consists of 8 
32-bit words, + denotes addition modulo 2 32 . The last 
chaining value H L is the output of the hash function. 
The compression function CF(M ; , Hi) consists of two 
parts: the message expansion and the state update 
transformation. 

1 . Message expansion 

The message schedule of SHA-256 splits M; into 16 
32-bit message words m 0 ,mi,-,m 15 and expands 
them into 64 32-bit words W t for 0 < i < 63 , 
according to the following equation, 

frrii 0 < £ < 16, 

Wi *~ \a x (Wi-i) + W t _ 7 + ob(Wi_ 15 ) + W t _ 16 16 < i < 63. 

The functions o~ Q (x) and 0i(x) are defined as 
follows: 

ct 0 (x) ^ (x »> 7) © (x »> 18) © (x » 3), 
oi(x) <- (x »> 17) © (x »> 19) © (x » 10), 

where © denotes XOR, »> and » represent left 

rotation and left shift respectively. 

2. State update transformation 

The 256-bit chaining value Hi is updated by 
applying the step function 64 times. Let p t = a t \\ b t \\ 
Ci II di || e t || fi || g t || hi be the input of step i (i = 
0, ••• , 63), i.e., po = Hi and p 64 is the output value of 
step 63. Figure 1 illustrates the transformation of step i. 
Note that K t denotes the round constant and the 
functions T h Ch, Maj, £o and £i are given by 

T t = h t + Sife) + Chieufugd + K t + W u 

Ch{x, y,z) = (x A y) © (-» x A z), 

Maj(x, y , z) = (x A y) © (y A z) © (x A z), 

£„ 00 = O »> 2) © (x »> 13) © (x »> 22), 

£i(x) = (x »> 6) © (x »> 11) © (x »> 25). 




Figure 1: Step function of SHA-256 



After 64 expanded message words W t have been 
processed, H i+l = p 64 + Hi is set as the chaining 
value for the next message block M ;+1 . 
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B. HMAC 

Hash-based MAC (HMAC) is one of the most 
widely used MAC constructions, which was first 
introduced by Bellare et al. in 1996 [1] and then 
standardized by N1ST in 2002 [3]. In the HMAC 
algorithm, the input message M is authenticated by 
invoking a hash function K twice with a secret key K. 
The MAC is computed as follows: 

HMAC K (M) = K(IV, (K © opad) 

II K(IV, (K © ipad) || M)), 

where IV represents the initial value of K, opad and 
ipad are two different padding constants, and || denotes 
concatenation. Note that before processing M, K must 
be padded with zeros to the length of a single message 
block of K. 

While HMAC can work with any cryptographic hash 
function, J-C is suggested to be a NIST-proved hash 
function [3]. Hence, SHA-256 is selected to instantiate 
"K , and HMAC instantiated with SHA-256 is depicted 
with HMAC-SHA-256. As depicted in Figure 2, the 
output H in of the inner call to SHA-256 is 256 bits, thus 
it needs to be padded to 512 bits. Consequently, the 
outer call to SHA-256 only invokes its underlying 
compression function CF twice, i.e., CF 1 and CF 2 . Note 
that pad is a 256-bit padding constant. 

iP ad M„ M, M, . 
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Figure 2: The HMAC-SHA-256 construction 

C. DFA on SHA-1 compression function 

By injecting 1,002 random word faults, the DFA 
attack [5] on SHA-1 compression function can recover 
the chaining value and the input message block with the 
success rate 73.7%. The fault model used in [5] is 
described first. The attack uses a word-oriented 
random fault model, i.e., the fault with a random 
unknown 32-bit value is induced into the particular 
intermediate 32-bit state register of a specified step. 

The attack procedure in [5] contains two phases. In 
the first phase, the final addition is eliminated, and the 
input value p 79 = a 79 || b 79 \\ c 79 \\ d 79 \\ e 79 of step 
79 is computed as well. The second phase is similar to 
the DFA attack on SHACAL1 [11], and aims to extract 
the input message block M ; . The success of the attack 
mainly attributes to the constructions of the following 
two single-variable equations: 



((X + O) »> t) - (X »> t) = W (1) 

(x © 6) — x = A (2) 

where 0 < X, <t>, x ¥, x, 6, A < 2 32 be 32-bit integers, 
and 0< t <32. If the value of (O, V) (resp. (5, A)) can 
be computed via fault injections, partial information on 
X (resp. x) will be obtained. Moreover, if more faulty 
compression values can be obtained, more information 
will be gained, and consequently the number of 
candidates for X and x can be reduced. 

D. Extension to SHA-256 compression function 

Due to the very similar design principles of SHA-2 
and SHA-1, it is natural to apply the DFA attack in [5] 
to SHA-256 compression function CF under the 
word-oriented random fault model. Let Y = Y a \\ Y b || 
Y c II Y d || Y e || Y f || Y g || Y h be the right output of CF. 
Suppose that a random word fault is induced during 
another computation of CF with the same inputs, then 
the corresponding faulty compression value Y* = F a * || 
Y b * II Y* II Y£ || Y e * II Y f * || Y g * || Y h * is obtained. 
Moreover, assume that p* = a* || b- || c* \\ d* \\ e* \\ 
fi II 9i II h* is the faulty input of step i (i = 0, ■•• ,63), 
where the x* denotes the faulty intermediate state 
register, x £ {a, b, c, d, e, f, g, h}. And p* 6A is the faulty 
output of step 63. 

Since DFA relies on the property of the difference 
propagation, the concrete structure of the target 
algorithm analyzed has a big impact on DFA. The 
structure of SHA-256 is more complex than SHA-1. 
Besides the larger state size in SHA-256, there are two 
other key issues that prevent the adversary from 
constructing single-variable equations like (1) or (2) via 
fault injections during the procedure of DFA on 
SHA-256 compression function. 

Firstly, the state variable a i simultaneously 
participates in two operations: I!o( a ;) wAMaj{a i ,b i , 
Cj). Hence, if the value of a 63 is changed to ag 3 by 
inducing one fault, the following system of equations 
can be obtained: 

a 63 — a 63 = Yb ~ Yb > 

/o(«63<^63<c 63 ) ~ Ma 63 ,b 63 ,c 63 ) = Y* - Y a . (3) 

where fo(x,y, z) = £o( x ) + Maj(x,y,z) . Note that 
the equation system (3) contains three variables a 63 , 
ft 63 , c 63 . Thus partial information on a 63 cannot be 
achieved without knowing the values of b 63 and c 63 . 
The similar case also holds for e t . 

Secondly, SHA-256 adopts two non-linear Boolean 
functions Ch and Maj, as compared to the linear 
Boolean function f(x,y,z) = x © y © z used in the 
last 20 steps of SHA-1. Without loss of generality, 
assume that the value of b 63 is changed to via one 
fault injection. Consequently, the following 
three-variable system of equations is obtained: 
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^63 — ^63 = Yc ~ Yc> 

Maj(a 63 ,b£ 3 ,c 63 ) - Maj(a 63 ,b 63 ,c 63 ) = Y* - Y a .(4) 

Since other relationships between 
Maj(a 63 ,be 3 ,c 63 ) and Maj(a 63 ,b 63 ,c 63 ) cannot be 
generated, such as the ©-relationship in (2), the value 
of Maj{a 63 ,b 63 , c 63 ) cannot be determined. Moreover, 
the value of b 63 cannot be calculated as well, since the 
values of a 63 and c^ 3 are unknown. Hence, partial 
information on Maj (a 63 , b 63 , c 63 ) or b 63 could not be 
obtained by computing the system (4). The similar case 
also holds for c i: f u g t . 

Although the (1)- or (2)-like equations could not be 
constructed to calculate single variables, the values of 
multiple variables can be simultaneously computed by 
solving the set of multiple-variable equation systems 
like (3) or (4) efficiently with algebraic techniques [32]. 
So attempts are made in this paper to launch a fault 
attack on SHA-256 compression function using AFA 
instead of DFA under the word-oriented random fault 
model. 

III. AFA ON SHA-256 COMPRESSION 
FUNCTION 

E. The framework of AFA using STP 

Traditional DFA mainly relies on the manual 
analysis on the propagation of the injected faults. When 
faults are injected in deeper steps of the compression 
function, the fault propagation path may become very 
complicated and the manual analysis procedure is 
difficult for the adversary. Compared to DFA, AFA 
treats the fault analysis as an algebraic problem and 
solves it with some automatic tools. It is worth trying to 
apply AFA [4] on SHA-256 compression function, and 
the experiments conducted in this work show positive 
results. The generic framework of AFA is as follows: 

- Injecting the faults: the location and the number of 
random faults to be injected need to be carefully 
determined. There are many methods to inject a fault, 
refer to [15, 16, 17] for details. 

- Constructing the equation system for the compression 
function: the remaining step functions starting from the 
location of the injected faults are represented as an 
equation system. The binary expressions for the 
bit-oriented operations £o , £i , Maj and Ch and the 
non-linear operation addition modulo 2 32 need to be 
constructed carefully. 

- Constructing the equation systems for the faults: the 
step functions affected by the induced faults are 
represented as equation systems as well. 

- Solving the set of equation systems: the equation 
systems for the right and faulty computations of the 
compression function share some common variables, 
including the chaining value and the extended message 
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words used in the steps affected by the injected faults. 
Computing their values is equivalent to solving the set 
of merged equation systems by invoking the automatic 
tools, such as the SAT solvers [19, 28]. 

The typical SAT solver takes the 
conjunctive -normal form (CNF) formulas as inputs, but 
the Boolean functions and additions in SHA-256 are 
operations on 32-bit words. Generating the 
corresponding binary CNF formulas for these word 
based operations seems to be cumbersome for the 
adversary. Luckily the tool STP [25] can be applied to 
overcome this problem. 

As a decision procedure for quantifier-free formulas 
with the data types of bit-vector and array, STP 
employs a series of word-level pre-processing 
algorithms to convert the original problem to a CNF 
formula and then solves it by invoking the default SAT 
solver CryptoMiniSat2 [28]. In order to fully exploit the 
speed of the SAT solver, optimizing transformations are 
employed to reduce the size and difficulty of the 
transformed problem. 

STP has been used to search for optimal differential 
characteristics for ARX cipher Salsa20 [27]. In this 
paper, STP is exploited to solve the set of emerged 
multiple-variable equation systems. To use the tool, the 
adversary just needs to rewrite the expressions for every 
addition, rotation, XOR and Boolean function in the 
compression function according to the input 
requirements of STP. STP takes these 32-bit word 
based equation systems as input and converts them into 
a CNF formula, which is then solved by the invoked 
CryptoMiniSat2. If a satisfying solution to the CNF 
formula exits, the binary solution is converted to a word 
based solution for the original 32-bit variables by STP. 
If no solution is found, STP outputs "Valid". 

F. AFA on SHA-256 compression function 

Since the chaining value Hi of CF cannot be 
computed directly, our attack is divided into two 
phases, which is similar to the attack procedure in [5]. 
Phase 1 aims to evaluate the input value p 63 of step 63. 
In phase 2, the input message block M ; is revealed. 

The experimental results of AFA on SHA-256 
compression function are also presented in this section. 
The SHA-256 algorithm is implemented with the C 
language and the fault injections are simulated in 
software. STP with the default SAT solver 
CryptoMiniSat2 is running on a PC with Intel(R) 
Core(TM)2 Quad CPU Q8400 @2.66 GHZ, 2.67 GHZ, 
2G memory, Ubuntu 13.10 32-bit desktop OS. During 
the attack procedure, the set of equation systems 
conforming to the input requirements of STP is 
automatically generated for the AFA attack using a 
program. This program has two parameters: the 
intermediate state register in which the faults are 
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injected and the number of injected faults. Hence, the 
adversary can adjust these two parameters to launch 
AFA on SHA-256 compression function. Note that in 
our simulations, when the state register in which the 
faults are injected is determined, the number of faults to 
be injected is adaptive ly chosen depending on the 
output of the AFA attack. Actually, it is a trade-off 
between the number of injected faults and the solving 
time. 

Phase 1 : Revealing p 63 

To recover p 53 , several random word faults are 
injected in a particular intermediate state register at a 
certain step of CF. In our attack, 14 faults are injected in 
c 60 at step 60 respectively and the corresponding faulty 
compression values are obtained. After building the set 
of equation systems of last 4 steps (including the 
feed-forward operation) for the correct and faulty 
compression values, STP is invoked to solve the set of 
equation systems and outputs the correct solution for 
p 63 within one minute. Furthermore, 100 different 
instances are tested with random word fault injections 
in order to evaluate the success rate of our attack. The 
correct value of p 63 can be revealed in all the 100 
instances. Figure 3 illustrates the statistical result of the 
solving time, where the execution time varies from 4.5 
seconds to 626 seconds and more than 80% instances 
can output the solution within 1 00 seconds on average. 

1.0| 1 




solving time(seconds) 



Figure 3: Statistics of the solving time with 14 faults in c 60 
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Extend to Deeper Fault Positions. Instead of injecting 
faults in c 60 at step 60, faults can be induced in the 
deeper steps. As a direct instance, 13 random faults are 
first injected in C59 at step 59 to launch AFA. After 
building the set of equation systems of last 5 steps 
(59-63), STP is invoked and then outputs the correct 
value of p 63 . Again, by testing 100 different instances, 
the attack could compute the correct solution with 58 
seconds on average, and the maximal time is 786.6 
seconds. The corresponding statistics of the execution 
time is presented in Figure 4. The attack can also be 
extended to step 58 by inducing 13 random faults in c 58 
. After testing 1 00 instances, the results show that our 
AFA still works though it would require a longer 
solving time. It takes an average of 8.58 hours to output 
a correct solution, and the exact solving time varies 
from 0.19 hours to 29.31 hours. 

Phase 2: Revealing M ; 

After phase 1 , the right value of p 63 is revealed. 
Combined with the right compression value Y and any 
faulty compression value Y*, the corresponding faulty 
input pg 3 of step 63 can be computed as follows: 

a 63 = Yb ~ Yb + a 63/ 
b* 63 =Y c *-Y c +b 63/ 
c 63 = Yd ~Y d + c 63/ 
e* 63 = Y f * -Y f + e 63/ 

/63 = Yg — Y g + / 63/ 

#63 = Yh — Y h + g 63 , 

h-63 = ?63 — ^63 +/l( e 63'/63'fl l 63) 
-/l0 6 3</63<#63) + h 63> 

<^63 = Ye — Y e — (T 6 * 3 — T 63 ) + d 63 , (5) 

where r 6 * 3 = h* 63 + £i0 6 * 3 ) + Ch(.e* 63 ,f£ 3 ,g* 63 ) + K 62 

+W 63 , hix.y.z) = + Ch(x,y,z). 

Based on the input values of step 63, phase 2 can 
recover the input message block M ; of CF. The attack 
procedure is as follows: 

- Subphase 7:13 random word faults are injected in c 56 
at step 56 and the corresponding faulty compression 
values Y* is obtained. Then the input value p£ 3 is 
calculated for each Y* as described above. Based on 
these input values, the set of equation systems of 7 steps 
(56-62) is constructed automatically. In our experiment, 
STP could output the correct values of four extended 
message words W 59 , W 60 , W 6l , and W 62 . 100 different 
instances have been tested and all of them output the 
correct values for these extended message words with 
an average of 34 seconds. The statistical result is shown 
in Figure 5. 



Figure 4: Statistics of the solving time with 13 faults in c 59 
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- Subphase 2: after revealing the extended message 
words used in step 59 to step 62, another 13 random 
word faults are injected in c 52 at step 52, and the 13 
faulty compression values are obtained. Using the 
equation system (5), each faulty value pg 3 is calculated. 
Then these faulty values pg 3 and the right value pg 3 
are decrypted with the recovered message words 
W 59 , W 60 , W 6l , and W 62 to obtain the output values of 
step 58. Thus the steps from 52 to 58 can be attacked 
according to the process in subphase 1 , and the correct 
values of W 55 , W 56 , W S7 , and W 58 are recovered. 

- Subphase 3: Repeat the above procedure by inducing 
faults in c 48 and c 44 sequentially. 1 6 extended message 
words W 47 , W 48 , ■•• , W 62 in total are recovered, which 
are then used to deduce M t according to the message 
expansion algorithm. Therefore, the input message 
block Mi of CF is revealed. 

With the value ofM;, the extended message word 
W 63 of the last step can be computed. Based on the 
revealed p 63 and W 63 , p 64 is calculated and H l = Y — 
p 64 is the chaining value. By injecting about 65 random 
word faults, the secret inputs of SHA-256 compression 
function are extracted within about 200 seconds on 
average. 

Based on the experimental results, it can be seen that 
SHA-256 compression function is very vulnerable to 
AFA. SHA-512 basically shares the same structure as 
SHA-256, except the 64-bit word size, more steps and 
the different rotation constants in cr 0 , 0i, £o, and 
Hence, our AFA attack can be directly applied to 
SHA-512 compression function without the influence 
of these minor differences. SHA-224/384 is the 
truncated version of SHA-256/512. Since only partial 
compression values are obtained, AFA on 
SHA-224/384 compression function may need more 
faults injected and longer solving time to recover the 
secret inputs. 
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Figure 5: Statistics of the time with 13 faults in c^e 
V. DISCUSSION 



IV. ALMOST UNIVERSAL FORGERY ATTACK 
ON HMAC-SHA-256 

In [18], Dunkelman et al. introduced the concept of 
an almost universal forgery attack, which is a very 
strong form of attack and is originally explained by [ 1 8] 
as follows. 

"we can find in linear time and space the tag of 
essentially any desired message m chosen in advance, 
after performing a onetime precomputation in which we 
query the MAC on 2 n ^ 2 messages which are completely 
unrelated to m. The only sense in which this is not a 
universal forgery attack is that we need the ability to 
modify one message block in an easy to compute way. " 

In this attack, the adversary is free to modify partial 
information inM, i.e., at least one message block. Later, 
Y. Sasaki presented an almost universal forgery attack 
on LPMAC [20]. 

In our almost universal forgery attack, the adversary 
first chooses a random 447-bit message string. Before 
computing its tag, the string is padded to a 512-bit 
message block M 0 with one bit of "1" and 64-bit binary 
expression of the string length. Then the adversary 
accesses the device to compute the tag of M 0 . During 
the calculation, he launches the above AFA attack on 
SHA-256 compression function CF 2 to reveal K out and 
H in \\ pad, as shown in Figure 6. At the online stage, 
given any message M whose first block is equal to M 0 , 
the corresponding tag for M can be computed with the 
values of K out and H in , i.e., an almost universal forgery 
on HMAC-SHA-256 is constructed. 
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Figure 6: Almost universal forgery on HMAC-SHA-256 

Remark. In order to recover the secret key K of 
HMAC-SHA-256, the adversary needs to launch AFA 
on SHA-256 compression function CF l . This attack 
requires the ability of the adversary to reveal the faulty 
input chaining value K* ut of CF 2 for each fault 
injection in advance, but this condition cannot be 
fulfilled in our attack model. Thus the secret key K 
cannot be recovered by exploiting the above AFA 
attack on SHA-256 compression function. 
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A. The effect on AFA by the structure of SHA-256 

Similar to DFA, AFA is also affected by the property 
of difference propagation, especially for the generalized 
unbalanced Feistel structure in SHA-256. In order to 
examine how the injected faults in different positions 
affect the efficiency of AFA, each time 1 3 random word 
faults are induced in one state register from 
{a 59 , b S9 , ••• , h 59 } at step 59, and the goal is to recover 
P63 . For each case, the recovery procedure is tested 1 00 
times with different random fault injections. The output 
for each case is listed in Table 1 . The results show that 
when injecting 13 faults in a 59 and b 59 respectively, 
the attack cannot output the correct solution for p 63 . 
While the faults are induced in e 59 , 4 sequent states 
with the corresponding message words can be revealed 
correctly. 



Table 1: The output with 13 faults for each case 



fault 


Nr. of 


output 


output 


position 


faults 


states 


subwords 


a 59 


13 








13 








13 


Pb3 




d 59 


13 


P63.P62.P61 


W 6 2.W 6 1 


e S9 


13 


P63'P62'P61'P60 


w 62 ,w 61 ,w 60 


fs9 


13 


P&3.P62 


w 62 


959 


13 


P63.P62 


W 6 2 


h S 9 


13 


P63.P62.P61 


W 6 2.W 6 1 



The statistics of solving time is illustrated in Figure 
7, where the 4 colors varying from blue to green denote 
the percentage of the execution time less than 200 
seconds, less than 400 seconds, less than 600 seconds 
and larger than 600 seconds respectively. As depicted in 
Figure 7, the percentage of the solving time larger than 
200 seconds may be positively related to the number of 
computed states, i.e., the more states solved correctly, 
the more instances with execution time larger than 200 
seconds. When launching AFA attack, injecting faults 
in the right 4 branches of SHA-256 step function will be 
more efficient according to the number of correct states 
obtained. That is, a even smaller number of faults in 
these positions is needed if the adversary only aims to 
reveal p 63 . 

B. AFA on SHA-1 compression function 

The original DFA on SHA-1 compression function 
[5] consists of two phases: the computational 
elimination of the final addition phase and 
SHACAL1 -phase. The AFA attack presented in this 
paper may be applied to improve this attack as well. 
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Figure 7: Statistics of the time with 13 faults for 6 cases in 

step 59 

Firstly, the final addition may be eliminated by using 
AFA with less injected faults. Instead of compute the 
values of a 79 , a 78 and b 79 © c 19 © d 79 , a 77 and 
^78 © c 78 © <^78 by injecting faults in different 
positions, AFA can take full advantage of the 
information induced by the injected faults in a deeper 
step to simultaneously calculate the values of 
b 79 , c 79 ,e 79 , d 79 and at least the highest five bits of 
a 79 . Since the faults in the phase of eliminating the final 
addition in [5] accounts for a larger proportion in all 
faults needed, the total number of faults for the fault 
attack on SHA-1 compression function may be reduced 
significantly. Secondly, based on the known p 79 and 
p 79 , it is very probable that less fault injections are 
needed to improve the procedure of solving several 
sequent message words. Therefore, the DFA attack on 
SHA-1 compression function may be improved with 
AFA by reducing the number of faults injected and 
injecting the faults in deeper steps at the same time. 

VI. CONCLUSION 

In this paper, an efficient AFA attack on SHA-256 
compression function is proposed. Due to the special 
structure of SHA-256, the fault attack on SHA-256 
compression function will be more efficient and 
feasible by using algebraic techniques instead of 
differential analyses. Furthermore, the tool STP is used 
to launch the AFA attack automatically and efficiently 
by carefully modeling the operations in the 
compression function and fully exploiting the ability of 
the SAT solvers. 

In order to show the feasibility of our attack, the 
AFA attack is simulated under a word-oriented random 
fault model. By only injecting about 65 faults, the secret 
inputs including the chaining value and the input 
message block of SHA-256 compression function could 
be revealed within minutes. 
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Based on the AFA attack on SHA-256 compression 
function, an almost universal forgery on 
HMAC-SHA-256 is also presented. It shows that 
applications using SHA-256 compression function 
should be protected against the threat of fault injections. 

The AFA attack presented in this paper is generic, 
automatic and easy to be extended to other ARX-based 
primitives, such as other SHA-2 variants, MD5, SHA-1, 
HAS-160, SM3, Skein, Blake et al. These are work in 
progress. 
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